Techniques have been disclosed to detect anomalous behavior, for example anomalous resource access behavior by users of a set of resources, in order to detect insider threats in an enterprise network. For example, a temporal behavior matrix per user may be analyzed, e.g., via a subspace learning method such as principal component analysis, to model normal historical behavior, and the model will be used to detect anomalous behavior that departs from the historical baseline captured by the model.
Behavior detected as being anomalous may require investigation or other responsive action. In some cases, a behavioral modeling approach to anomaly detection as described above may generate too many alerts to be investigated in a timely and effective manner, and/or potentially too many “false positives”, i.e., identifying as anomalous behaviors that are not of concern, such as a user being observed to use for the first time a resource that is in a same group of resources as other resources the user has been observed to have accessed before.